Questions tagged [csrf]

1

votes
1

answer
302

Views

CSRF - sending ajax requests to get token

I am developing CSRF protection for my website. I am saving token in hidden input in form + session, then i check if they're equal. I am just wondering about this scenario : user visits malicious website malicious website sends ajax GET request to get page with form and extracts token from it malic...
Tadeas J
1

votes
0

answer
380

Views

How to enable CSRF protection in Spring Security 3.0

I'm trying to enable CSRF protection in Spring Security 3.0. All the articles I've found point to using the tag, which doesn't exist in this version of Spring Security and there's no chance of me upgrading to a newer version of Spring any time soon. (Corporate environment) With this in mind, how c...
Beth
1

votes
0

answer
107

Views

How do I send a secure cookie over HTTPS on Android Retrofit 2/OkHTTP3?

I'm using Retrofit 2. For some reason, my Android app can never succeed calling backend Django API due to CSRF token failure because CSRF_COOKIE_SECURE is set to True. So how do I send the cookies over OkHttp3 and Retrofit 2 as secure (over HTTPS)?
waynejohn1110
1

votes
0

answer
251

Views

Codeigniter REST. How to properly protect against csrf

I am using the REST server by Phil Sturgeon and I was wondering how I can do CSRF Protection properly? Currently I am using this method: if(stripos($_SERVER['REQUEST_URI'],'API')!=''){ $config['csrf_protection'] = FALSE; }else{ $config['csrf_protection'] = TRUE;} However, I have read that this is n...
JianYA
1

votes
1

answer
856

Views

Bad request 400 in Odoo contact form. Session expired('Invalid CSRF token')

I am facing an error in Odoo v 10 with the contact form, when I press the send button it gives an exception: Traceback (most recent call last): File '/usr/lib/python2.7/dist-packages/odoo/addons/base/ir/ir_http.py', line 195, in _dispatch result = request.dispatch() File '/usr/lib/python2.7/dist-pac...
Alberto Méndez
1

votes
1

answer
261

Views

How to handle csrf tokens during testing of a backend api

How do I handle csrf middleware functionality when running unit/integration tests? I have an Angular web app that sits in front of an Express backend API. All of the backend routes are mounted after the csrf middleware, so during tests, I always run into the ForbiddenError: invalid csrf token error....
cusejuice
1

votes
0

answer
180

Views

CSRF protection in singlepage web application

My Application structure as follows 1)API server running in api.mydomain.com 2)Frontend VUejs application running in www.mydomain.com So i implemented authentication via httponly cookie. But little confused with CSRF token implementation Mysolution 1).CSRF token from the url like /getCSRF. 2) Store...
iam batman
1

votes
0

answer
276

Views

Laravel 5.5 post request error

I'm working on the project using Laravel 5.5. I have resource controller and trying to save data in store method. The route looks like this: Route::resource('post', 'Post\PostController'); This is Store method in the controller: public function store(Request $request) { dd($request); } And also I ha...
LTM
1

votes
0

answer
308

Views

CSRF attack from previous session

I have written a Filter which generates random token and serves to Jsp, where On jsp I have ajax call which will return the token value and on that ajax call I validate the token. Servlet Filter String origin = request.getHeader('Referer'); log.info('URL obtained from referer :'+origin); if(origin!...
Aniket G
1

votes
1

answer
363

Views

Javascript - protect API key

I know this is a really common question, and lots has been written about it. Despite reading a lot online however, I can't find a suitable solution. I have a fully public website - there is no login/secure area. The whole site is powered by API calls to various 3rd party websites. The site uses Reac...
swalesong
1

votes
0

answer
366

Views

flask error CSRF token is missing

I'm trying to disable some requests by the post method with the extension flask-retful, in the documentation it tells me how to disable csrt but it does not work, these are my files /app.py from flask import Flask from models.model import db from Views.View import view from api import restApi from a...
Francisco
1

votes
0

answer
284

Views

Redirect login page to main app page with CSRF token PHP/Javascript

I have a login page (login.php) that redirects to my main page (dashboard.php). When the user POSTs their email and password to login.php I validate credentials, create a CSRF token, store it in the session, and then redirect to dashboard.php. Upon redirection, however, dashboard.php is doing it's...
shreddish
1

votes
0

answer
344

Views

Csrf token is invalid

i've been having the Csrf token is invalid I tried to add the {{ form_end(form) }} or remove token from {{ form_widget(form._token) }} but it doens't work please help me fix this problem here'is my registration content file {% trans_default_domain 'FOSUserBundle' %} Sign into your page...
1

votes
2

answer
802

Views

Spring Boot - Spring Security CSRF protection not injecting token in login page

I am following this tutorial but they have disable the csrf protection. So I removed the csrf().disabled() code but then the code is not being inejected and I cannot login properly because of: DEBUG 5276 --- [nio-8080-exec-6] o.s.security.web.csrf.CsrfFilter: Invalid CSRF token found for http://loc...
Fernando Fradegrada
1

votes
1

answer
961

Views

regenerate csrf token after ajax request

How to regenerate a token's input after ajax request, so i don't need to reload the page, here's my php code to generate a token and here's my jQuery code to send an ajax request function load() { $('#load-data').load('process/karyawan/load.php'); } function insert(){ $('form').submit(function...
Agus Priyanto
1

votes
0

answer
164

Views

Change name of CSRF filter in Tomcat 9

By default tomcat CSRF filter is generating ID like org.apache.catalina.filters.CSRF_NONCE=C6D6CB73AC793EC7BC55BADA791A5DE3 i want to change the name from org.apache.catalina.filters.CSRF_NONCE to MY_NONCE
Mitesh Patel
1

votes
0

answer
175

Views

Invalid CSRF token with edge or iexplore

This website is a Symfony 2.8 using FOSUser. The login form works well for these browsers: chrome firefox opera But fails with a 'Invalid CSRF token' (in _profiler, tab logs) on: edge internet explorer In all these cases, the same PHP is used to generate the login form. I can only think of a defect...
nicolallias
1

votes
2

answer
51

Views

Django CSRF Error fixed by just visiting page in multi-page form?

I have two forms on two pages, one leads to the other. When 'Submit' is pressed on page 1 it is supposed to take you to the form on page 2. Page 2 fails with 'CSRF verification failed. Request aborted.' With the reason being 'CSRF cookie not set.' The weird part is that if I go directly to Page 2, i...
thrillhouse
1

votes
2

answer
128

Views

MethodNotAllowedHttpException path without CSRF

I pass a route in laravel which is called by a function in JS and I have no control of it because it is external, this route is a post method since I need it to be that way but it generates me a MethodNotAllowedHttpException as I do to exclude certain routes of this validation. Note: I have already...
Mhurtado
1

votes
2

answer
507

Views

Anti forgery tokens are reusable even after one request

I am working on asp.net mvc application. Here in view i have added @Html.AntiForgeryToken() and in controller i have added attribute [ValidateAntiForgeryToken]. Now my point is when i send request for deleting any document one antiforgery token is created. i have copied that token. and again i am...
ketan
1

votes
0

answer
216

Views

Spring security is blocking call to a button on a login page

Issue: I am displaying a button for change of the language on a custom login form When user clicks on the button there should be a call to a function that changes the language, however, that is not happening because spring security is blocking other calls on that page. Java spring security configura...
mkrstin
1

votes
0

answer
232

Views

How do I disable csrf protection on gitlab enterprise server?

I have an internal requirement to stress gitlab to evaluate its performance serving requests for large sized repos with concurrent commits by many engineers. I am using JMeter to record a flow of committing a file from the UI. On replay, I get a 403 because the csrf token validation fails. I have tr...
Jai
1

votes
1

answer
164

Views

CSRF for RESTful API

As far as I understand CSRF, this is very simple scheme: User (Bob) has auth cookies for MyApp.com in his browser. Attacker sends email to Bob with a link to website MyApp-Crack.com with magic button 'Click to win $10.000' which is button='sumbit' of a simple hidden form with action='myapp.com/use...
Luke1988
1

votes
1

answer
217

Views

How can I add CSRF token to upload file using HTML 5 (data-) inside an input?

I'm using this bootstrap-fileinput plugin to upload file in my WebApp. To develop this WebApp I'm using: Bootstrap4, Thymeleaf and Spring Boot. I would like to use the html5 convenction to use that plugin, so this is the code: But I enabled the CSRF protection with Spring Security. So when I try t...
PaolaG
1

votes
0

answer
108

Views

CSRF setup on grails

I'm working on grails 2.5 application. I have setup CSRF configuration for my application referring this and it's working fine. I'm setting the header whenever an ajax request is being sent and similarly I'm adding a CSRF parameter when a form is being submitted. I had few queries: CSRF token remain...
dev-eloper
1

votes
0

answer
158

Views

How does Flask-Admin SecureForm and CSRF protection work

I'm currently writing a simple blog application using Flask-Admin for administrative tasks. I'd like to enable CSRF protection and have followed the instructions on the Advanced Functionality page in the docs. However, this doesn't seem to prevent my dummy CSRF attacks from succeeding and it is uncl...
Jon Badiali
1

votes
0

answer
180

Views

Django in docker: ajax POST is failing csrf

I'm attempting to set up my Django 1.11 application in Docker containers. Here's a summary of what I've done so far: Set up docker-compose.yml with an image for redis, django/uwsgi, and jwilder/nginx-proxy:alpine. docker-compose build runs with no issues. Set up my Django code so the client sends an...
Adam
1

votes
0

answer
183

Views

Tomcat RestCsrfPreventionFilter - cannot get CSRF nonce

So I have enabled the RestCsrfPreventionFilter in Tomcat for my REST API. At a high level, it is working mostly right. Any endpoints that modify my application's state (ie, POST, PUT, etc) get rejected due to not having a CSRF nonce in the request. The problem I'm running into is I can't seem to get...
user2223059
1

votes
0

answer
122

Views

How to include Django CSRF token in request through ngrok?

I am building a Django app that will be hosted on a local network and perform authentication using Facebook Login. Since Facebook Login requires the callback address for a login to either be localhost or publicly-addressable, I'm using ngrok to create an address for Facebook to return data to. After...
phepp
1

votes
0

answer
81

Views

CSRF Implementation and Stripe API

Is the following a secure implementation of CSRF token verification? Specifically, I want to call this Stripe API endpoint: https://connect.stripe.com/express/oauth/authorize?redirect_uri=https://example.com&client_id=ca_11111&state={STATE_VALUE} and the Stripe docs say To prevent CSRF attacks, add...
user4184113
1

votes
2

answer
2.2k

Views

How to add csrf token to the html form?

After I enabled csrf(removed line .csrf().disable()) in my application my login request stopped working - /login POST redirects me to the home page: request looks like this: On the page I have following js: ... $('#login-form').submit(function (ev) { ev.preventDefault(); // to stop the form from sub...
gstackoverflow
1

votes
0

answer
1.2k

Views

MissingCsrfTokenException: Could not verify the provided CSRF token because your session was not found

I am reading the spring documentation: Adding CSRF to Stomp Header And I try to add stom header to the connect event but I get the error on client: >>> CONNECT XSRF-TOKEN:f86232c1-e877-46e9-b4e6-7427c3d89940 accept-version:1.1,1.0 heart-beat:10000,10000
gstackoverflow
1

votes
0

answer
152

Views

Anti-CSRF form Token validation always failed

I've been looking into session security and have read that adding a random generated 'token' to a form and validating it upon the submission of the said form can help with CSRF ( Cross-Site Request Forgery ). So I setup a test using someone else's example to see how it works but it doesn't go well....
EWobble
1

votes
0

answer
317

Views

django sessionid, csrrftoken and vue axios

I have a question about using vue axios frontend and Django backend in cors-domain environment. My cookie can use set-Cookie sessionid and csrftoken but frontend can't get these parameters to save to my document. If I use my chrome explorer, the application cookie is empty but I can find the cookie...
M. N
1

votes
2

answer
427

Views

Gatling test CSRF Spring Security block my post via a web form

I want to do a Gatling Test and send a form via a Post with form params but i get a 403 because of a CSRF Token generated from spring Security this my Scenarii: val sentHeaders = Map( 'Content-Type' -> 'application/x-www-form-urlencoded', 'User-Agent' -> 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52...
AlexAlba
1

votes
0

answer
150

Views

Django: Clearing request.session between forms causes csrf token error?

I am facing a very specific problem that I've narrowed down to a particular reason, and I am afraid I may simply be misunderstanding or wrongly applying my logic here. Django users will know that CSRF protection is handled by a django middleware and that each form used in the project should be foll...
Akshya
1

votes
1

answer
396

Views

Forbidden 403 : CSRF Validation failed error in Firefox, not in chrome

I have a webpage with more than 1 form with POST. I have included {% csrf_token %} in each of the forms. {% csrf_token %} In my view I have used bot ensure_csrf_cookie and csrf_protect decorators @ensure_csrf_cookie @csrf_protect @operation('monitor') def monitor(request, **kwargs): The first POST r...
1

votes
1

answer
484

Views

Angular 5 xsrf-token cookie and x-xsrf-header are not same

I am changing xsrf-token cookie value on each request at backend. I am making more than one http calls at a time to server, but for some requests 'xsrf-cookie' value and 'x-xsrf-header' value are not same. I tried to add x-xsrf-header manually through paramaters, But the header value is not upto d...
LokiKartik
1

votes
1

answer
51

Views

Getting CSRF token missing or incorrect for one route but not the other

Working on React/Django and have run into an issue I can't resolve. On the front end, there is the following JS sending data to the Django API. In this case, rejectedDocuemts() is sending an array of filenames to the backend so eventually an email can be created and sent to the admin to review. File...
sockpuppet
1

votes
1

answer
368

Views

CakePHP 3 cors,X-CSRF-Token

I have some issue with implementing CSRFProtection for my input forms. the following variable is always empty in CSRFProtectionMiddleware.php: $header = $request->getHeaderLine('X-CSRF-Token'); For that reason i get always CSRF 'token mismatch.'error message. The problem would be with : $this->respo...
Andrewboy

View additional questions